[whatwg] First or last Content-Type header?

On Wed, Jun 3, 2009 at 12:51 AM, Aryeh Gregor <Simetrical+w3c at gmail.com> wrote:
> Sending a text/plain Content-Type will not prevent any
> (default-configured) version of IE from interpreting the file as HTML,
> even if it's the *only* Content-Type header sent. ?This is why Adam
> Barth said "The only browser that uses the first header more or less
> ignores it anyway." ?This apparently isn't fixed even in IE8: it
> insists on still upsniffing text/plain to text/html unless you use the
> nonstandard header "Content-Type: text/plain; authoritative=true;".

http://blogs.msdn.com/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
- it's "X-Content-Type-Options: nosniff" now (and is used a bit in
practice - it's on about 0.1% of pages from
http://www.dotnetdotcom.org/, though about half of them are owned by
Google or Microsoft).

-- 
Philip Taylor
excors at gmail.com

Received on Wednesday, 3 June 2009 00:36:10 UTC